In this paper, based on facial landmark approaches, the possible vulnerability of ensemble algorithms to the FGSM attack has been assessed using three commonly used models: convolutional neural network-based antialiasing (A_CNN), Xc_Deep2-based DeepLab v2, and SqueezeNet (Squ_Net)-based Fire modules. Firstly, the three individual deep learning classifier-based Facial Emotion Recognition (FER) classifications have been developed; the predictions from all three classifiers are then merged using majority voting to develop the HEM_Net-based ensemble model. Following that, an in-depth investigation of their performance in the case of attack-free has been carried out in terms of the Jaccard coefficient, accuracy, precision, recall, F1 score, and specificity. When applied to three benchmark datasets, the ensemble-based method (HEM_Net) significantly outperforms in terms of precision and reliability while also decreasing the dimensionality of the input data, with an accuracy of 99.3%, 87%, and 99% for the Extended Cohn-Kanade (CK+), Real-world Affective Face (RafD), and Japanese female facial expressions (Jaffee) data, respectively. Further, a comprehensive analysis of the drop in performance of every model affected by the FGSM attack is carried out over a range of epsilon values (the perturbation parameter). The results from the experiments show that the advised HEM_Net model accuracy declined drastically by 59.72% for CK + data, 42.53% for RafD images, and 48.49% for the Jaffee dataset when the perturbation increased from A to E (attack levels). This demonstrated that a successful Fast Gradient Sign Method (FGSM) can significantly reduce the prediction performance of all individual classifiers with an increase in attack levels. However, due to the majority voting, the proposed HEM_Net model could improve its robustness against FGSM attacks, indicating that the ensemble can lessen deception by FGSM adversarial instances. This generally holds even as the perturbation level of the FGSM attack increases.

本文基于面部标志点方法，使用三种常用模型评估了集成算法对 FGSM 攻击的可能脆弱性：基于卷积神经网络的抗锯齿 (A_CNN)、基于 Xc_Deep2 的 DeepLab v2 和 SqueezeNet (Squ_Net)基于Fire 模块。首先，开发了三种基于深度学习分类器的面部情绪识别（FER）分类；然后使用多数投票合并所有三个分类器的预测，以开发基于 HEM_Net 的集成模型。随后，从 Jaccard 系数、准确率、精确率、召回率、F1 分数和特异性等方面对其在无攻击情况下的表现进行了深入研究。当应用于三个基准数据集时，基于集成的方法 (HEM_Net) 在精度和可靠性方面显着优于其他方法，同时还降低了输入数据的维数，扩展 Cohn 的准确率分别为 99.3%、87% 和 99% -分别是 Kanade (CK+)、真实世界情感面部 (RafD) 和日本女性面部表情 (Jaffee) 数据。此外，在一系列 epsilon 值（扰动参数）上对受 FGSM 攻击影响的每个模型的性能下降进行了全面分析。实验结果表明，当扰动从 A 增加到 E（攻击级别）时，建议的 HEM_Net 模型精度对于 CK + 数据急剧下降 59.72%，对于 RafD 图像下降 42.53%，对于 Jaffee 数据集下降 48.49%。这表明，成功的快速梯度符号方法（FGSM）可以随着攻击级别的增加而显着降低所有单独分类器的预测性能。 然而，由于多数投票，所提出的 HEM_Net 模型可以提高其针对 FGSM 攻击的鲁棒性，这表明该集成可以减少 FGSM 对抗实例的欺骗。即使 FGSM 攻击的扰动水平增加，这一点通常也成立。